Legally Sound But Technologically Wrong (2/2)

Legally Sound But Technologically Wrong (2/2)
by Daniel B. Garrie & Bill Spernow

In Part One of this article, the authors identified a test case, Trump v. Genger, supporting our thesis that technological misunderstandings almost inevitably leads a court to commit legal error in e-discovery decisions. As described in Part One, the Trump case involved significant sanctions imposed upon defendant Genger because he wiped the unallocated space of certain computer hard drives. Defendant did so after first taking a file level snapshot of the “existing files” on the hard drives and then reviewing those existing files for national security and personal information. Any sensitive documents were encrypted, and the hard drives then returned to Plaintiff. The wiping was necessary to delete unencrypted copies of the sensitive documents automatically generated as part of the encryption process. In Part Two, we explain why the Court was wrong to find spoliation and impose sanctions.

The court’s logic in imposing sanctions was faulty on a number of levels. Our first example is significant: the court did not properly determine if relevant documents had been destroyed by the wiping software. In its opinion, the court references the “Lentz Memo” as one of the missing documents that could have been recovered from unallocated space as a deleted file – assuming the unallocated space had not been wiped by the Defendant. The Court’s determination, however, was based solely on cause and effect (it should be here, it’s not, hence it must have been wiped), not independently verifiable forensic evidence.

Other technological reasons, however, would also explain why the missing files could not be found in the unallocated space. What the Court perhaps did not fully understand is that every action, including just turning on the computer in the morning, creates, deletes and modifies hundreds of files and overwrites data in the unallocated space. Given the nature of the encryption process expressly permitted by the Court, it is more than likely that all, or almost all, the data in the unallocated space had already been overwritten. This is because, as the court recognized, the encryption process creates at least one or more temporary files, a final “encrypted” file, and the need to delete the original file. All of this activity consumes resources in the unallocated space area of the hard drive. Given the large number of documents reviewed over the course of days by a team of attorneys, any data in the unallocated space could have easily been overwritten by the encryption process. Thus, the Judge’s order, by permitting the encryption of files stored on the systems in question, most likely resulted in overwriting substantial blocks of data that previously had existed in the unallocated space. If, as the Court found, there was a smaller dedicated unallocated space for electronic mail and email attachments, then all email derived data in this smaller, segregated segment was almost certainly overwritten before the wiping software was utilized. If the “Lentz Memo”, as an example, had been deleted from the unallocated space, it could have been innocently overwritten by the thousands of files created during the encryption process specifically allowed by the Court. So even if the wiping software had not been run by the Defendant, the Lentz Memo would have never been found, and its absence does not demonstrate the Defendant wiped it.

It is also unclear if the file level copying process created a copy of the $MFT file for each computer backed up. This is important because the $MFT file, a Windows system file that is really a small database, contains technical details about all valid files and most deleted files. Think of the $MFT file as the table of contents for a hard drive that points you to the page of interest. Why this file was not examined to determine what details existed about previously deleted files was a significant technical oversight that ignored valuable potential evidence. This is critical because a review of $MFT could have likely resolved the courts concern regarding intentional spoliation by specifically identifying the names and sizes of the files that had been recently deleted.

The court also apparently did not understand that most data in unallocated space are random fragments. The analogy here is expecting entire pristine documents in an area that consists mostly of confetti. This is probably why the computer consultants never preserved the unallocated space before the encryption process was initiated. The initial judicial preservation order issued by the Court prohibited the destruction of any company related documents, books, or records. It is not clear how Judge Strine bridged the technology world from that routine mandate to the finding that deleted files, that per normal descriptive terms are already destroyed and unrecoverable by the Windows Operating System, fall within those parameters. What started as a routine e-Discovery process, that pays no attention to deleted files, was subsequently transformed into an e-Forensic investigation about deleted files to Defendant’s disadvantage.

It is wholly unreasonable for courts to expect litigants to preserve the unallocated space of their computers, or understand they are required to preserve unallocated space, as the result of a routine preservation order. To expand preservation orders to include unallocated space in computers and servers on pain of sanction, as Judge Strine now has done in the Delaware courts, is unworkable and unreasonable. To preserve this storage space, a company would effectively have to shut down all their computers and servers prior to imaging – grinding the business to a halt. Even then, it is not always possible to recover deleted files from unallocated space, as opposed to random bits and pieces of the whole. Additionally, because of the random nature of the unallocated space, it is impossible to know with certainty where the information sought is located. It is a simple matter to segregate active files by custodian. If employee John Smith has information regarding the litigation, you segregate his active files and search them for useful information. With fragments of files, as typically found in unallocated space, no such segregation is possible. The analogy here is searching for a needle in a field of haystacks. The cost will always outweigh the benefits, if any, of such a search. For a company that has a number of servers, even the cost of imaging and maintaining the unallocated space, as will be required if unallocated space is now part of every “status quo” preservation order and litigation hold, may be prohibitively expensive.

Finally, the court was correct to note that the timing of the wipe by Genger and his consultant, at night after everyone was done for the day, might provide reason for suspicion. However, undertaking such a lengthy process at night is a common practice that minimizes the impact of the e-discovery process on the business. Accordingly, such actions on their own should not have led the court to conclude a nefarious intent. Indeed, if Defendant’s consultant Mr. Ohana was really trying to hide his actions from discovery, he could easily remove all trace evidence of his wiping activities. The failure to do so supports the innocent explanation for the wipe offered by the defendant.

Armed with partial or incomplete information regarding digital matters as noted above, courts unfortunately can reach the wrong conclusion. As illustrated here in Trump v. Genger, where Plaintiff successfully, but mistakenly, asserted the defendant committed spoliation of evidence, and unwittingly led Judge Strine to impose an unreasonable and expensive burden upon this Defendant and all future litigants and companies in the State of Delaware – the burden of preserving unallocated space on pain of spoliation sanctions.

* Mr. Garrie is lawyer and technologist and is recognized as one of the eminent thought leaders in electronic discovery. Mr. Garrie is a managing partner at Law & Forensics, a national legal risk management consulting firm, and serves as an e-discovery arbitrator and special master all over the United States. He has also held technology positions in both the private and public sector. He can be reached at

** This is the first part in a three-part series which comprise an abridged version of the article “Defining E- Discovery in Arbitration,” written by Daniel Garrie and published in the Los Angeles Daily Journal.

*** Mr. Spernow combined a career as a computer engineer and California Peace Office and quickly obtained a national reputation as one of the first Cyber Cops. He has held IT Security positions in both the public and private sector and currently provides litigation and forensic support services in the Atlanta area.